Computer World Security

Breadcrumb

Just when you’re ready to settle in for some egg and nog and whatever may accompany, Windows starts throwing poison frog darts. This month, a fairly boring patching regiment has turned topsy turvey with an unexplained emergency patch for Internet Explorer (you know, the browser nobody uses), combined with an Outlook 2013 patch that doesn’t pass the smell test.

Mysterious bug fix for IE

Microsoft set off the shower of firecrackers on Dec. 19 when it released a bevy of patches for Internet Explorer:

Microsoft rarely mentions Internet Explorer (IE) anymore, but when it does, it usually means bad news.

So it was Wednesday, when Microsoft issued a rare emergency security update to plug a critical vulnerability in the still-supported IE9, IE10 and IE11. The flaw was reported to Microsoft by Google security engineer Clement Lecigne.

According to Microsoft, attackers are already exploiting the vulnerability, making it a classic "zero-day" bug. Because of that, the company released a fix before the next round of security updates scheduled for Jan. 8.

CryptoLocker. WannaCry. Petya. Bad Rabbit. The ransomware threat isn’t going away anytime soon; the news brings constant reports of new waves of this pernicious type of malware washing across the world. It’s popular in large part because of the immediate financial payoff for attackers: It works by encrypting the files on your hard disk, then demands that you pay a ransom, frequently in Bitcoins, to decrypt them.

Android security is always a hot topic on these here Nets of Inter — and almost always for the wrong reason.

As we've discussed ad nauseam over the years, most of the missives you read about this-or-that super-scary malware/virus/brain-eating-boogie-monster are overly sensationalized accounts tied to theoretical threats with practically zero chance of actually affecting you in the real world. If you look closely, in fact, you'll start to notice that the vast majority of those stories stem from companies that — gasp! — make their money selling malware protection programs for Android phones. (Pure coincidence, right?)

It's tough to talk about Android security without venturing into sensational terrain.

A large part of that is due to the simple fact that the forces driving most Android security coverage are companies that make their money by selling Android security software — and thus companies with strong interests in pushing the narrative that every Android phone is on the perpetual brink of grave, unfathomable danger. Plus, let's face it: A headline about 70 gazillion Android phones being vulnerable to the MegaMonsterSkullCrusher Virus is far more enticing than one explaining the nuanced realities of Android security.

In actuality, though, Android security is a complex beast — one with multiple layers in place to protect you and one that almost never warrants an alarmist attitude. I've been covering Android security closely since the platform's earliest days, and I've busted more myths and called out more shameless publicity stunts than I can even count at this point.

Think fast: How many times a day do you pick up your phone to look at something? Unless you live in the tundra or have far more self-control than most, the answer probably falls somewhere between "quite a few" and "more than any sane person could count." Assuming you keep your device properly secured, that means you're doing an awful lot of unlocking — be it with your face, your fingerprint, or the code you tap or swipe onto your screen.

And that's to say nothing of the number of times you type your password into your laptop or enter your credentials into an app or website during the day. Security's important, but goodness gracious, it can be a real hassle.

It's more than a few years back, and this oilfield services company is implementing a new email filter, says a pilot fish working there.

"It was part of an email security product," fish says. "The filter could identify emails containing language that was not considered business appropriate.

"We'd had HR incidents involving inappropriate language in the past, especially from field hands emailing to office staff -- it gave a new meaning to 'crude oil workers' -- so it was decided we should enable the feature with its default settings and give it a run.

"Only a few hours later we received an alert that a message had been identified with inappropriate language.

We’re always told never to click on a link we receive in an email in case doing so takes us to some dodgy phishing site where our account details are violated. But what if our email app warned us before we clicked malicious links?

Can this app protect against phishing attempts?

MetaCert isn’t fully available yet, but it does seem to be a promising solution that provides email users in enterprise and consumer markets an additional line of defense against clicking on malicious links received in email messages.

The solution emerged from the developer’s earlier work building an API to help app developers add a layer of security to WebView.

Flashback a few decades to the glory days of online service CompuServe, when anyone could get an account -- but not everyone could use their real names, according to a pilot fish in the know.

"You logged in with your account number, but to join a forum -- a chatroom focused on a specific topic -- you had to give a real name," fish says. "The name on your billing record was the default.

"Of course there were fraudsters who used an official-sounding name to phish people for personal info and credit card data. So users were not allowed to have words like 'billing' as any part of their in-forum real name. This could only be overridden by the forum sysop. I was one.

Got Fi? Google's unusual wireless service may have shifted its name from Project Fi to Google Fi this fall, but its core proposition remains the same: Pay only for the data you use, and avoid all the traditional carrier gotchas and nonsense.

For the right kind of person, especially among those of us on Android, Fi can be a real cost- and hassle-saver. And aside from its most prominently promoted perks — the seamless network-switching, the public Wi-Fi use, the fee-free roaming and hotspot capabilities, and so on — Fi has some pretty interesting out-of-the-way options that can really elevate your experience.

Imagine using Face ID on your iPhone alongside a password and Touch ID on your computer in order to access highly secure websites, such as online banks, enterprise intranets and confidential online data services.

That’s a possibility as Apple begins testing a new security standard called WebAuthn.

In a joint report for the Monitoring, Evaluation, Research and Learning (MERL) Technology conference this fall, researchers who studied 43 blockchain use cases came to the conclusion that all underdelivered on claims.

And, when they reached out to several blockchain providers about project results, the silence was deafening. "Not one was willing to share data," the researchers said in their blog post.

Amazon this week announced its latest data analytics product, one aimed at scouring unstructured data within electronic medical records (EMRs) to offer up insights that physicians can use to better treat patients.

Amazon's new Comprehend Medical AWS cloud service is a natural-language processing engine that purports to be able to read physician notes, patient prescriptions, audio interview transcripts, and pathology and radiology reports – and use machine learning algorithms to spit out relevant medical information to healthcare providers.

Windows 10 powered to its third anniversary this year, but one branch, identified by the initials L-T-S-B, remained an enigma to most corporate users.

LTSB, which stands for "Long-term Servicing Branch," was among the pillars of Windows 10 in the months leading up to, and for months after, the mid-2015 roll-out of the operating system. For a time, it seemed that it had a shot at becoming the Windows 10 for enterprise because it was seen as a calm port in a storm of radical change.

By far the most important reason for this month’s relative patching calm: Microsoft decided to wait and get the Windows 10 (version 1809) patch right instead of throwing offal against a wall and seeing what sticks.

What remains is a hodge-podge of Windows patches, some mis-identified .NET patches, a new Servicing Stack Update slowly taking form, a bunch of Office fixes – including two buggy patches that have been pulled and one that’s been fixed – the usual array of Flash excuses and Preview patches.

Just one day after Microsoft came clean with an explanation of a Nov. 19 outage that blocked users of Office 365 from logging into their accounts using Multi-Factor Authentication (MFA), today the service again went on the fritz.

"Starting at 14:25 UTC on 27 Nov 2018, customers using Multi-Factor Authentication (MFA) may experience intermittent issues signing into Azure resources, such as Azure Active Directory, when MFA is required by policy," read the Azure status dashboard. Two and a half hours later, the dashboard reported that after resolving a problem with an earlier DNS (Domain Name Service) issue, engineers rebooted the services. "They observed a decrease in the failure rate after the reboot cycles," the dashboard concluded.

Authentication: the act of proving one’s identity to the satisfaction of some central authority. To most, this process means typing in a username and a password. It’s been this way for years and years.

Windows Hello is a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition. The sign-in mechanism is essentially an alternative to passwords and is widely considered to be a more user friendly, secure and reliable method to access critical devices, services and data than traditional logins using passwords.

“Windows Hello solves a few problems: security and inconvenience,” said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy. “Traditional passwords are unsafe as they are hard to remember, and therefore people either choose easy-to-guess passwords or write down their passwords.”

Encryption may sound like a subject best left to hackers and tinfoil hat wearers, but don't be fooled: It's a critical part of contemporary life and something that's important for everyone, especially business users, to understand. And one of the places where encryption is most relevant and misunderstood is in the realm of email.

If you're using Gmail for electronic communication — be it for business, for personal use, or a combination of the two — it's well worth your while to know how the service does and doesn't secure your information and what steps you can take to make sure you're getting the level of privacy you need.

You might not know it from all the panic-inducing headlines out there, but Android is actually packed with powerful and practical security features. Some are activated by default and protecting you whether you realize it or not, while others are more out of the way but equally deserving of your attention.

So stop wasting your time worrying about the Android malware monster du jour and which security company is using it to scare you into an unnecessary subscription, and take a moment instead to look through these far more impactful Android security settings — starting with the core elements and moving from there into some more advanced and easily overlooked options.

Tags

About SecurityFeeds

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry. Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.